Hey there,

It's Cipherceval — So you ran your Windows Update this week, right? Because if you haven't — go do that. Microsoft just patched six actively exploited zero-day vulnerabilities, and that's only story one. This week we've also got North Korean hackers poisoning your npm packages through fake job interviews, nation-state actors turning Google's own AI against us, and two data breaches that should make everyone reconsider how much of their personal data is floating around out there.

Microsoft's February 2026 Patch Tuesday addressed 58 vulnerabilities — but the headline is six actively exploited zero-days. That's not normal. The lead vulnerability, CVE-2026-21510 (CVSS 8.8), is a Windows SmartScreen bypass that Google's threat intelligence group confirmed was under "widespread active exploitation." An attacker crafts a malicious link, you click it, and SmartScreen — the "are you sure?" prompt — just lets the malware through.

Two more security bypass zero-days target MSHTML (the old Internet Explorer engine still baked into Windows) and Microsoft Word's OLE mitigations. On the privilege escalation side, flaws in Remote Desktop Services and Desktop Window Manager give attackers SYSTEM-level access — the highest privilege in Windows. CrowdStrike found the RDS exploit and noted it was sophisticated enough that threat actors will race to use or sell it.

What stands out is the collaboration: Google, CrowdStrike, Acros Security, and Microsoft's own teams all independently flagged these bugs — suggesting active campaigns, possibly by the same threat actor chaining bypass + escalation for a full attack chain.

North Korea's Lazarus Group has been running a sophisticated fake recruiter campaign targeting JavaScript and Python developers through npm and PyPI — the package repositories most developers use every day. ReversingLabs published research on the campaign (codenamed "GraphAlgo"), active since at least May 2025.

The playbook: create fake crypto companies like "Veltrix Capital" with professional domains and GitHub orgs, then approach developers on LinkedIn, Facebook, and Reddit with job offers. The "coding assessment" project contains a malicious dependency. The moment you run npm install, you've backdoored your own machine.

One package called "bigmathutils" racked up 10,000+ downloads as a benign library. The malicious payload wasn't introduced until version 1.1.0 — build trust, then inject the poison. In total, researchers found 192 malicious packages. The deployed RAT features token-based C2 authentication — not a script kiddie operation. Attribution sits at medium-to-high confidence based on fake job interview patterns, crypto-focused lures, and Git commit timestamps aligned with GMT+9 (North Korea's time zone).

Google's Threat Intelligence Group (GTIG) published a report on February 12th confirming what many in the security space feared: state-backed hackers from North Korea, Iran, China, and Russia are actively using Google's Gemini AI to accelerate cyber operations.

North Korea's UNC2970 (overlapping with Lazarus Group) used Gemini to synthesize OSINT and profile high-value targets in defense and cybersecurity. They even researched salary information to make fake recruiter lures more convincing — that's Operation Dream Job supercharged with AI. Iran's APT42 crafts phishing personas with native-sounding language. China's Mustang Panda compiled dossiers on individuals. Russia's UNC795 used it for technical troubleshooting and building attack infrastructure.

The real alarm: Google identified HONESTCUE, malware that uses Gemini's API to receive C# source code, then compiles and executes it directly in memory. Fileless, polymorphic, and AI-generated — all in one package. They also found COINBAIT, a crypto exchange phishing kit built using an AI coding platform called Lovable AI.

Odido, the largest mobile network operator in the Netherlands (formerly T-Mobile Netherlands), confirmed that hackers breached their customer contact system and stole personal data affecting approximately 6.2 million people — roughly a third of the country's entire population.

The stolen data includes names, addresses, emails, phone numbers, dates of birth, bank account numbers (IBANs), and passport or driver's license numbers with validity dates. As one Dutch ethical hacker put it, that combination is "worth gold to criminals" — everything needed for identity fraud and highly targeted social engineering.

This fits a broader pattern: Salt Typhoon compromised hundreds of telecoms globally, SK Telecom saw a 90% drop in operating profit from breach costs, and French regulators fined Free SAS €42 million. Telecom companies are prime targets because they aggregate massive amounts of personal data in centralized systems.

Government technology contractor Conduent suffered a ransomware attack in January 2025 that originally disclosed 4 million affected people in Texas. TechCrunch reported on February 5th that the actual number in Texas alone is now 15.4 million — half the state's population. Another 10.5 million are affected in Oregon, with notifications going out across Delaware, Massachusetts, New Hampshire, and more. The total could stretch into tens of millions nationwide.

Conduent processes government payments, handles benefits administration, manages toll collection, and provides child support payment services — critical infrastructure most people never think about. The stolen data includes SSNs, medical data, and health insurance information. The Safeway ransomware gang claimed 8TB stolen. In their SEC filing, Conduent acknowledged a "significant number of individuals' personal information" was compromised.

The timeline is what's frustrating: attack in January 2025, initial disclosure of 4M affected, then over a year later in February 2026, we learn it's potentially ten times that. The cover-up is always worse than the crime.

1. Patch like it's urgent. Six actively exploited zero-days in a single Patch Tuesday is an emergency. Update your stuff.

2. Your package manager is an attack surface. If a recruiter asks you to run code, treat it like an email attachment from a stranger. Sandbox it. Audit the dependencies.

3. AI is a force multiplier — for good or bad. Bad grammar is no longer a reliable phishing indicator. Your security awareness training needs to evolve.

4. Telecom data is a goldmine. If your provider is breached, expect convincing social engineering attacks using your real data. Verify everything through official channels.

5. Breach disclosures can be icebergs. Conduent went from 4M to tens of millions over a year. Monitor your identity proactively — don't wait for a notification letter.

🎧 Watch/Listen to the Full Episode

Catch the full breakdown on YouTube, Spotify, or Apple Podcasts — search "Exploit Brokers by Forgebound Research."

Found this valuable? Forward it to someone who touches a computer.